On July 8, 2026, China's National Vulnerability Database (NVDB) issued a high-priority security alert concerning Anthropic's AI coding assistant, Claude Code. The Chinese government agency alleges that specific versions of the tool contain a 'backdoor' functionality. This alleged backdoor is described as a built-in monitoring mechanism capable of exfiltrating sensitive user information, such as location and identity data, to remote servers without user consent. The NVDB has advised all Chinese organizations to cease using the affected versions (2.1.91 through 2.1.196) and has recommended enhanced network security controls. This move signals escalating geopolitical tensions in the technology sector, particularly around AI tools and data sovereignty.
2.1.91 through 2.1.196.The alert directly impacts:
The NVDB's alert, while not a formal law, functions as a strong directive for Chinese entities. The implied compliance requirements are:
While the alert itself does not specify penalties, non-compliance with directives from a ministry-level body in China can lead to serious consequences for businesses. This can include government audits, loss of business licenses, or being barred from government contracts. The reputational risk for a company seen as ignoring a national security warning is also significant.
Organizations in China should take the following steps:
Implement strict egress filtering to block unauthorized outbound connections from development tools, as recommended by the NVDB.
Mapped D3FEND Techniques:
Enforce policies that restrict the installation and use of unauthorized or banned software versions.
In response to the Chinese NVDB alert on Claude Code, organizations must implement robust Outbound Traffic Filtering as a primary defense. This involves configuring perimeter firewalls and web proxies to enforce a default-deny policy for egress traffic, especially from developer workstations and build servers. An explicit allowlist should be created, permitting connections only to known, vetted endpoints required for business operations (e.g., corporate cloud services, official package repositories). All other outbound connections should be blocked and logged. This strategy directly counters the alleged 'backdoor' by preventing the Claude Code application from communicating with any unauthorized remote server, thus blocking the potential exfiltration of sensitive data like location or identity information.
To comply with the NVDB directive, organizations should use Executable Denylisting (also known as application blocklisting) to prevent the specified versions of Claude Code from running. Using an endpoint security solution like an EDR or a tool like Microsoft AppLocker, administrators can create rules that block the execution of processes based on their file hash, publisher certificate, or file path. For this incident, rules should be created to block the known hashes of Claude Code versions 2.1.91 through 2.1.196. This provides a strong enforcement mechanism, ensuring that even if a user attempts to install or run the banned software, the operating system will prevent it from executing. This is a more reliable control than simply asking users to uninstall the software.
China's National Vulnerability Database (NVDB) issues a security alert regarding Anthropic's Claude Code.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.